Generating JWT - Zapier Reality Check

Description
Am I correctly understanding the use and generation of Zoom JWTs?

Context
I am using Zapier’s Webhooks to automate making a patch to existing meetings (adding alternate hosts), e.g.

curl --request PATCH \
  --url 'https://api.zoom.us/v2/meetings/<meetingID#>' \
  --header 'authorization: Bearer <JWT>' \
  --header 'content-type: application/json' \
  --data-raw '{
    "settings": {
      "alternative_hosts": "name1@company.com;name2@company.com;name3@company.com",
      "alternative_hosts_email_notification": "false"
    }
  }'

To generate JWTs I can use the Zoom App Credentials page, or JWT.io successfully with an expiration date for however long I am testing for.

To put this Zap into production, however, I would like to generate JWTs only at the time of the API call and with expiration times just long enough to cover the duration of the Zap processing (like, 10-15 minutes at most).

With Zapier, I think my only option is to make a JWT with an expiration date way out into the future, which seems insecure/poor practice. I’d like to instead, have part of the automation be the creation of short-lived JWTs.

I am unable to access the two pages (Zoom App Credentials page, or JWT.io) to create JWTs using a Zapier Webhook action. Possibly there is a way to do this?

What I would like to do is generate a token with a short expiration time when the Zapier webhook is triggered to make the update. Is this possible through Zapier? I don’t think so because there is a limitation with Zapier - their Codeblock action does not allow for invoking external libraries (needed for encoding HmacSHA256).

Do I need to create a server which would generate the short-lived tokens? I.e. that I would make a Webhook call to and the results of which I would use to authorize the patch Webhook?

Is there a service which can provide this generation of Zoom JWTs to the Zapier automation?

Thanks!

Hey @mixelpix,

Thanks for reaching out about this. Are you leveraging the Zapier integration on our Marketplace here, or a separate plugin/integration?
https://marketplace.zoom.us/apps/Reljv66AS92-32P2hdEdng

Our Zoom/Zapier integration supports OAuth, so it sounds like you may be leveraging a different integration, is that right? If there’s no ability to alter how the integration generates the JWT token from within the integration you’re using, you may be limited.

But any additional details you can share about the integration you’re leveraging would be helpful to confirm.

Thanks,
Will

1 Like

Hi @will.zoom ,

Thanks for the reply.

I am using the Zapier integration app from Zoom’s Marketplace to run the Zapier Zoom Action, and I have recently deleted and re-installed it (per Zoom’s Tech Support on a related topic regarding the generation of meeting passwords for embedded Join Meeting URLs; ticket #12719118)

The “Create Meeting in Zoom” Action available from Zapier does not support the addition of alternative hosts:

After I use the Zapier action to create the meeting, I then use Zapier’s Webhooks step to PATCH the alternative host details (per the cURL example syntax):

I’m leveraging the JSON Web Token authorization to make the PATCH. The JWT authorization token was generated on Zoom’s website per the App credentials page (for the production account) per the marketplace docs here: https://marketplace.zoom.us/docs/guides/auth/jwt#testing.

For automation development purposes, I have set a testing JWT with an expiration date far out into the future.

What I would like to do for the production implementation of the task automation is to generate a JWT just for the duration necessary to the Zapier task when the actions are triggered.

Our Zoom/Zapier integration supports OAuth, so it sounds like you may be leveraging a different integration, is that right? If there’s no ability to alter how the integration generates the JWT token from within the integration you’re using, you may be limited.

It reads like this would only be possible within Zapier if I used a Zapier Webhooks action with Oauth authorization - is that correct?

Does the Zoom API support webhook access to generate JWT tokes, or is that only available through the App credentials web page’s GUI (which is login-secure)?

As for JWT.io, AFAICT their API does not support JWT generation, only the libraries to do so. While Zapier has a Codeblock action, it does not support external libraries :\

It’s kind of a “can only get an id in the club and can’t get into the club without an id” problem

🥸🥴

Thanks again for the reply!

Hi @will.zoom,

I’ve read a little more closely about the flow with JWT to generate a new token using the steps in Zoom’s JWT App documentation:

Note : JWT may only be used for internal applications and processes. All apps created for third-party usage must use our OAuth app type.

When authenticating to the Zoom API, a JWT should be generated uniquely by a server-side application and included as a Bearer Token in the header of each request. Follow this guide to set up the generation and structure of these tokens.

If I understand correctly, to generate JWT auth tokens for use at the time when a Zapier action is triggered, I would need to have a server-side application encode the JWT header, payload, and signature to the Zapier app.

For example, the Zapier action gets triggered, then Zapier could make a webhook call to this server-side app to receive a new JWT auth token, then upon receiving the new and short-lived auth token, the Zapier app could make the secure webhook to Zoom.

I am not enough of a software engineer to have any confidence in deploying such a server-side app myself, but it certainly seems feasible. I suppose that would also then present the challenge of secure webhook access by Zapier to the server-side app… Which seems like the part where "I can only get an id inside the club, but can’t get inside the club without an id.”

Seems easier to just set a production token with an expiration date way out in the future, but I suppose this is bad practice?

Oh well, I think I have my answer :upside_down_face: and some new learning goals in life:

  1. Internet security practices
  2. Server-app deployment
  3. OAuth

Hi @mixelpix,

Thank you for the detailed clarifications, and I’m glad things make a bit more sense now. Of course, should you run into any separate issues or questions, just let us know.

Best,
Will